Gen.Variant.Kazy.597068_827322e5d5

by malwarelabrobot on May 11th, 2015 in Malware Descriptions.

Gen:Variant.Kazy.597068 (B) (Emsisoft), Gen:Variant.Kazy.597068 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 827322e5d56f9be09f01e676fd46d614
SHA1: 4bef020c9c0b5c079a2f782407154b4f1998a48d
SHA256: 073b33a841b47264a4294eecd5c73cb739c0b810a90d6a77b1e673a64f47c9e6
SSDeep: 98304:VHemcmTUzDCwKqr8sHQqabe5h0Op0f2VXvXW:FeFmTUPCHqIsSS5h0nf2Bv
Size: 3288064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-03-19 11:14:37
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

rundll32.exe:1612
rundll32.exe:256
%original file name%.exe:1648

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1648 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\TerminusSupport\TerminusSupport.dll (133377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf7aa05a26.dll (15021 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf7aa05a26.dll (0 bytes)

Registry activity

The process rundll32.exe:1612 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"bbf88800" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"a47da861" = "o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1A06h0nl1 06x0ql1D07x0m01T07b0ox1O06h0nU1S02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1D06I0mU1O0640nl1g06t0iU1M0640m00S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1D06I0pl1T02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1S06t0i00T07t0nl1D06I0mU1O0640n01Y02E0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"1c311243" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"a2e3b941" = "///%"
"340d3099" = "/P////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"f2c53c49" = "UlAr/XJ/c//k////"
"27ddcf6f" = "///%"
"72758a5d" = "///%"
"060df2cd" = "GlAu/YP/c/Au/YZ/GxAp/YZ/GP/j/Xt/axAv/X6////%"
"0e93c3f3" = "///%"
"e46c271e" = "///%"
"48bd1aff" = "V/////%%"
"f6ad6fa6" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"f1f24e29" = "Vl/l/C/////%"
"1520c6f1" = "V/////%%"
"2d71d5ab" = "V/////%%"
"f0bf0bde" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
"c5705860" = "Vx////%%"
"d1abcdb6" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"0dc3ee96" = "/P////%%"
"414bc593" = "///%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"7367429f" = "///%"
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
"8b9e4cbc" = "V/////%%"
"d94388d2" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 28 2A 0C 8C 47 BE 2B 2F 67 BA 11 6C D6 79 E2"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"493c7345" = "m01e0780mU1 0780mU1 0640al1D06I0pl1T00%%, pl1D06I0qx1Y06E0qU1 0640nl0S06b0nU1Z00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"c6c5dd44" = "V/////%%"
"2e22d94e" = "///%"
"51d2f2ea" = "K/Au/YZ/aPAp/X2/cPAg/WV/cPAl/Y//alAf/YP////%"
"65114b36" = "VP/l////"
"a0743acc" = "N/////%%"
"0c230bcb" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"c99a5f5c" = "///%"
"7f69fa1f" = "///%"

The process rundll32.exe:256 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 1B 46 F4 C8 FC FF CE 6D C8 29 62 A4 FF 41 C6"

The process %original file name%.exe:1648 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"a47da861" = "o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1A06h0nl1 06x0ql1D07x0m01T07b0ox1O06h0nU1S02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1D06I0mU1O0640nl1g06t0iU1M0640m00S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1D06I0pl1T02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1S06t0i00T07t0nl1D06I0mU1O0640n01Y02E0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"48bd1aff" = "V/////%%"
"d1abcdb6" = "///%"
"340d3099" = "/P////%%"
"1c311243" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"d94388d2" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"CategoryName" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"DisplayName" = "TerminusSupport"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"587b5709" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"svi" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"usr.1" = "d6fxtGdefABCDWYSUM"
"usr.0" = "SSL46Dwysurpnikg01"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"fe94ce1e" = "V/////%%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"d94388d2" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"uuid" = "16675769074180770034"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"a47da861" = "o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1A06h0nl1 06x0ql1D07x0m01T07b0ox1O06h0nU1S02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1D06I0mU1O0640nl1g06t0iU1M0640m00S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1D06I0pl1T02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1S06t0i00T07t0nl1D06I0mU1O0640n01Y02E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"493c7345" = "m01e0780mU1 0780mU1 0640al1D06I0pl1T00%%, pl1D06I0qx1Y06E0qU1 0640nl0S06b0nU1Z00%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\00000000]
"a47da861" = "o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06O0mU1g02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1Y06E0ml1h0640ml1O0780px1N06E0ix1M06b0px1N02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1h06h0ml1 06b0i01U0640ml1N06t0ml0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1A06h0nl1 06x0ql1D07x0m01T07b0ox1O06h0nU1S02I0ox1S02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1D06I0mU1O0640nl1g06t0iU1M0640m00S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1D06I0pl1T02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1g06E0nl1O06t0j01O06U0ox1N07x0al1S06t0i00T07t0nl1D06I0mU1O0640n01Y02E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"NoRepair" = "1"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"Version" = "22022137"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"587b5709" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"iiid" = "1"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"51d2f2ea" = "K/Au/YZ/aPAp/X2/cPAg/WV/cPAl/Y//alAf/YP////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"dlpath" = "c:\progra~1\termin~1\termin~1.dll"
"svn" = "TerminusSupport"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"date" = "1431208048"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"Version" = "22022137"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"2d71d5ab" = "V/////%%"
"060df2cd" = "GlAu/YP/c/Au/YZ/GxAp/YZ/GP/j/Xt/axAv/X6////%"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"date" = "1431208048"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"svt" = "1431215253"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"1c311243" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"060df2cd" = "GlAu/YP/c/Au/YZ/GxAp/YZ/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"InstallDate" = "20140212"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"data.1" = "fq3FwDzrmQ4PQ6789/I9CSRAR/R20l1hHhlFLn311ifdu/YsNDevJZsv5PGFavYsGIPjeuckV7zubA/peM9YmTvg gj3vlBJS9xHy/"
"data.0" = "FbpZVIh48t/0uv xztKDLvbagv17jGQ8av4lPltSWv2UrdMy QwTnDFV2jg4hGfQvIhFuTMOQ"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"uuid" = "16675769074180770034"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"65114b36" = "VP/l////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"2e22d94e" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"svt" = "1431215253"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"date" = "1431208048"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\00000000]
"493c7345" = "m01e0780mU1 0780mU1 0640al1D06I0pl1T00%%, pl1D06I0qx1Y06E0qU1 0640nl0S06b0nU1Z00%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un /uq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"usr.1" = "d6fxtGdefABCDWYSUM"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"51d2f2ea" = "K/Au/YZ/aPAp/X2/cPAg/WV/cPAl/Y//alAf/YP////%"
"0dc3ee96" = "/P////%%"
"c99a5f5c" = "///%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"414bc593" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"LRTS" = "0"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"svi" = "0"
"svpath" = "c:\Program Files\TerminusSupport\TerminusSupport.dll"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"Mode" = "4026531840"
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"2d71d5ab" = "V/////%%"
"f6ad6fa6" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"a1dcff5b" = "V/////%%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"d94388d2" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"
"f0bf0bde" = "///%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"svn" = "TerminusSupport"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"493c7345" = "m01e0780mU1 0780mU1 0640al1D06I0pl1T00%%, pl1D06I0qx1Y06E0qU1 0640nl0S06b0nU1Z00%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"data.0" = "FbpZVIh48t/0uv xztKDLvbagv17jGQ8av4lPltSWv2UrdMy QwTnDFV2jg4hGfQvIhFuTMOQ"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"usr.0" = "SSL46Dwysurpnikg01"
"usr.1" = "d6fxtGdefABCDWYSUM"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"Install_Dir" = "%Program Files%\TerminusSupport"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"65114b36" = "VP/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"7f69fa1f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"State" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"060df2cd" = "GlAu/YP/c/Au/YZ/GxAp/YZ/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"05c7da84" = "%Program Files%\TerminusSupport\TerminusSupport.dll"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\00000000]
"3efeb33e" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"bbf88800" = "///%"

"e46c271e" = "///%"
"f6ad6fa6" = "V/////%%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"1520c6f1" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"a2e3b941" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 64 3C 86 35 54 9A 37 9D 5A FC 8F C0 53 72 0D"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"svx" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"587b5709" = "V/////%%"
"3c09c42b" = "///%"
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"fe94ce1e" = "V/////%%"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"State" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"uuid" = "16675769074180770034"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"data.1" = "fq3FwDzrmQ4PQ6789/I9CSRAR/R20l1hHhlFLn311ifdu/YsNDevJZsv5PGFavYsGIPjeuckV7zubA/peM9YmTvg gj3vlBJS9xHy/"
"usr.0" = "SSL46Dwysurpnikg01"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"65114b36" = "VP/l////"
"51d2f2ea" = "K/Au/YZ/aPAp/X2/cPAg/WV/cPAl/Y//alAf/YP////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"data.0" = "FbpZVIh48t/0uv xztKDLvbagv17jGQ8av4lPltSWv2UrdMy QwTnDFV2jg4hGfQvIhFuTMOQ"
"data.1" = "fq3FwDzrmQ4PQ6789/I9CSRAR/R20l1hHhlFLn311ifdu/YsNDevJZsv5PGFavYsGIPjeuckV7zubA/peM9YmTvg gj3vlBJS9xHy/"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"1c311243" = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"Publisher" = "Software Publisher"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620]
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\1723938809044620\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{5c7da84}]
"Cache" = "9428760297565573948"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]
"72758a5d" = "///%"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_05c7da84\eae10f9d]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
2b3db76fe5b2d319405cdbc3a19490c4 c:\Program Files\TerminusSupport\TerminusSupport.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 280185 280576 4.65619 667de8948666150ce02a16a31ba2a35e
.rdata 286720 33344 33792 4.02145 8cc6f5af71c0a3de95349113f57766a7
.data 323584 2960756 2950144 5.28458 0028a531e5139064a9d8b2aa7e65274f
.reloc 3284992 21802 22016 2.81744 319668b871c25e5447a4abb11d092798

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://turner.map.fastly.net/
hxxp://getterfire.info/get/?data=O+VyuiZK6auar28urpRECp1zqwdSY4XlHz1asiRrLET6uVp6QvfQAycWI7zGqgW/BeksXBmouNfKL72jwhjflLdmX/XnwHIufKMgudznL2CewwYMHUxd9QTsy7qQjE3QiD1/ACsWMJ9hIVEzaa3olDRMNGeW66uV8uJFN4hm9zjXQMF+P9utH7oyC03zXR+XxJ6CknHsAPwH262mseq6GJ5uwBvXw2ctpXMbgETBOXJtMcnD67So5vL+I1weTFAUPATIeV7l/2YLcXecC/8Hdq4Q4nM9MlTUmoF1RN0m2DAPxg9BQXdyqVEkdKlDkDmW0TNc3TxnWt3Qd7UslD6ISvO4IS59+R90vpuUZmPCdO2zZ6kBfUSKhdiZTumS0VYvNZIF25vf1jnxylxQLEl2GFQlO7p1zVZYQWYgQsA4WpIZuJ9XFbEaOIbX5ckjKV91WfUlsYzEjFbhqj/RfuiC/zZjkZ705wqQjZwo7KIDvgYCM2koHDtft1KXFpq3VkjW0hp/YejIcrIjzltqYK5N8EH2rjr8QGCUNh9HmygpZIh7jQlAzlo8PK5LS1exOQIK&version=4 54.187.192.13
hxxp://edition.cnn.com/ 185.31.17.73


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin

Traffic

HEAD / HTTP/1.1
Host: edition.cnn.com
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)


HTTP/1.1 200 OK
x-servedByHost: prd-10-60-160-28.nodes.56m.dmtio.net
Cache-Control: max-age=3600
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' hXXp://*.cnn.com:* hXXps://*.cnn.com:* *.cnn.net:* *.turner.com:* *.ugdturner.com:* *.vgtf.net:*; script-src 'unsafe-inline' 'unsafe-eval' 'self' *; style-src 'unsafe-inline' 'self' *; frame-src 'self' *; object-src 'self' *; img-src 'self' *; media-src 'self' *; font-src 'self' *; connect-src 'self' *;
Content-Type: text/html; charset=utf-8
Via: 1.1 varnish
Content-Length: 266594
Accept-Ranges: bytes
Date: Sat, 09 May 2015 23:47:28 GMT
Via: 1.1 varnish
Age: 174
Connection: close
X-Served-By: cache-iad2123-IAD, cache-fra1240-FRA
X-Cache: HIT, HIT
X-Cache-Hits: 5, 3
X-Timer: S1431215248.323863,VS0,VE0
Vary: Accept-Encoding



GET /get/?data=O+VyuiZK6auar28urpRECp1zqwdSY4XlHz1asiRrLET6uVp6QvfQAycWI7zGqgW/BeksXBmouNfKL72jwhjflLdmX/XnwHIufKMgudznL2CewwYMHUxd9QTsy7qQjE3QiD1/ACsWMJ9hIVEzaa3olDRMNGeW66uV8uJFN4hm9zjXQMF+P9utH7oyC03zXR+XxJ6CknHsAPwH262mseq6GJ5uwBvXw2ctpXMbgETBOXJtMcnD67So5vL+I1weTFAUPATIeV7l/2YLcXecC/8Hdq4Q4nM9MlTUmoF1RN0m2DAPxg9BQXdyqVEkdKlDkDmW0TNc3TxnWt3Qd7UslD6ISvO4IS59+R90vpuUZmPCdO2zZ6kBfUSKhdiZTumS0VYvNZIF25vf1jnxylxQLEl2GFQlO7p1zVZYQWYgQsA4WpIZuJ9XFbEaOIbX5ckjKV91WfUlsYzEjFbhqj/RfuiC/zZjkZ705wqQjZwo7KIDvgYCM2koHDtft1KXFpq3VkjW0hp/YejIcrIjzltqYK5N8EH2rjr8QGCUNh9HmygpZIh7jQlAzlo8PK5LS1exOQIK&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: getterfire.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:46:46 GMT
Content-Length: 0
Connection: close







The Backdoor connects to the servers at the folowing location(s):







rundll32.exe_1612:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    rundll32.exe:1612
    rundll32.exe:256
    %original file name%.exe:1648
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Program Files%\TerminusSupport\TerminusSupport.dll (133377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf7aa05a26.dll (15021 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now